SQL Injection detection

  • Thread starter Thread starter GMartin
  • Start date Start date
G

GMartin

Besides parameterizing SQL or using Stored Procedures, is there any
reliable way to test if a string has an SQL Injection attack. ...For
example, can one use the same method ADO uses when examining
parameters to detect SQL Injection?
 
You can run regex, but you have to be careful that the things you are
looking for. Generally things like:

' or userName is not null --

You can find the patterns, but what if the pattern is legal in a string? You
then throw out things that are valid. Better to parameterize.

--
Gregory A. Beamer
MVP, MCP: +I, SE, SD, DBA

*************************************************
| Think outside the box!
|
*************************************************
 
Back
Top